Regardless of the security expertise and resources you apply to securing your assets, you are unlikely to achieve much unless you focus on the most vulnerable element of your organization: your employees.
"Computers have become much more secure over the past 15 years, but humans have not," says Lance Spitzner, training director for the Securing the Human program at SANS Institute, a cooperative research and education organization focused on security certification. "The human really has become the weakest link."
When it comes to security, humans are low-hanging fruit
Because the technology itself is no longer necessarily the low-hanging fruit, malicious hackers are finding easier ways to penetrate organisations, like social engineering or preying upon employees with poor password discipline. Employees commonly simply don't know how to write strong passwords, how to comply with data protection policies or share data securely, Spitzner says.
"We define social engineering as understanding what makes a person think, tick, and react and then using those emotional responses to manipulate a person into taking an action that you want them to take," says Chris Hadnagy, a co-founder of security education organisation Social-Engineer.org and operations manager at security training and tools firm Offensive Security. Hadnagy is also the author of the book, Social Engineering: The Art of Human Hacking.
At the DEF CON 18 Hacking Conference in 2010, Social-Engineer.org organized its first social engineering capture the flag contest to showcase how social engineers penetrate companies' defenses.
Two weeks prior to the conference, the contestants, amateur social engineers all with little or no experience, were each given the name of a real company. They were allowed to spend the two weeks prior to the contest using "noninvasive" techniques (like Google searches) to compile a dossier on the company to which they had been assigned. They were not allowed to e-mail, telephone or contact the companies, but anything freely available on the Web was fair game. The dossiers were used to create a profile of the company and plan an "attack vector," a strategy for getting employees of the target company to reveal "flags," or bits of information.
Social-Engineer.org compiled the flags-things like who handles the firm's tape backups, what browser and version the employee used, the PDF client the employee used or whether the company had a cafeteria and who operated it. The FBI vetted the list of flags and the contest rules specifically prohibited contestants from trying to gain passwords, IP addresses or other sensitive data.
"If you can get someone to give you that information, most likely you could get someone to give you a lot more," Hadnagy says.
In front of a live audience during the conference, the contestants each had the opportunity to work the phones for 25 minutes to reach out to the organization to which they had been assigned and capture as many flags as possible.
The contestants collectively made 140 phone calls to real employees at real companies. Only five of the employees called refused to give contestants the information they were seeking. And in each case, the contestants who reached those employees were able to hang up and call another employee at the same company who did volunteer the information.
Social engineers don't just prey upon people via the phone. Phishing attacks using emails from seemingly legitimate businesses are a prime example of social engineering.
Weak passwords are the norm
When it comes to passwords, the picture is also bleak. In June, Joseph Bonneau at the University of Cambridge released the results of a study analysing 70 million passwords of Yahoo users in an effort to estimate the difficulty of guessing passwords. Bonneau concluded that humans tend to pick weak passwords.
"We find surprisingly little variation in guessing diffculty; every identifiable group of users generated a comparably weak password distribution," Bonneau writes. "Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists."
Creating a security awareness and training program
"The solution is training and education, and it does work," Spitzner says. He points to one organization that worked with SANS Institute. It managed to decrease its number of infected computers so dramatically that it was able to shift one employee from handling infected machines to working on something else.
But it's not as simple as deciding to do it, he notes. Most security awareness programs inside organizations accomplish little, he says. But the reason is that they weren't actually designed to be effective.
Start with a security awareness steering committee
To begin, he says, you should first establish a security training steering committee. The steering committee should be composed of five to 10 volunteers from a mix of departments and roles that can help to plan, execute and maintain the program. Spitzner recommends including people from audit and legal in the steering committee. He notes that the members of the committee should not only be guides, but ambassadors for the program that help get the members of their organisations on board.
Answer the 'who,' 'what' and 'how'
Once established, the steering committee needs to create a plan that answers three questions: who, what and how. 'Who' is first. Spitzner says one of the most common mistakes he sees is companies that attempt to create a monolithic security awareness and training program.
"A lot of awareness programs are simply ad hoc," he says. "A proper plan identifies who you are targeting and the scope."
In many cases, different targets-general employees/contractors, IT staff, help desk, senior management-will require different training programs.
"You need to teach absolutely everyone in your organisation that touches any data," Spitzner says.
Once the targets are identified, the steering committee needs to determine what each target needs to learn. Spitzner recommends that instead of trying to teach a little bit of everything, the training program should focus on a few topics that will have a big impact. Each organization's needs and risks will be different, so a risk assessment on each topic would be helpful. Common topics include: passwords, social engineering, compliance, email and instant messaging, browsing and browsers, social networking, mobile device security, data protection and data destruction.
The steering committee then needs to determine how it will engage employees.
"How are you going to communicate this? You have to think of awareness as a product," Spitzner says. "You have to think of engagement. Don't focus on the benefits to the organization. Focus on the benefits to the employees. In most cases, this education benefits employees both in their personal life and in the organization. If you focus on the benefits people get in their personal life, you get tremendous engagement, tremendous benefit."
Take a modular approach
Spitzner also recommends avoiding monolithic, hours-long training. Instead, he says, take a modular approach to topics. The modules could be as short as three to five minutes. Primary training should consist of a mix of short videos and onsite training, with newsletters and even sanctioned phishing assessments for reinforcement. Facebook feeds, twitter feeds, posters and flyers can also play a role. It's important that employees receive primary training once a year and then reinforcement through continuous touching throughout the year, Spitzner says.
Finally, the program requires metrics that measure employee engagement with the program and how their behavior changes as a result. The program should be reevaluated and updated at least once a year based on the metrics.